Using the OWASP Benchmark to Assess Automated Vulnerability Analysis Tools presented at AppSecUSA 2015

by Dave Wichers,

Summary : The OWASP Benchmark is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools. Without the ability to measure these tools, it is difficult to understand their value or interpret vendor claims. The OWASP Benchmark contains over 20,000 test cases that are fully runnable and exploitable.
This training class will provide attendees with details of how the Benchmark was developed, what the tests cover, and how to use it to evaluate tools. Students will be able to download a VM with the entire Benchmark fully installed and ready to go. They will be able to compile all the tests, run tools against the benchmark, and generate scorecards for all the tools they run. The scorecards describe how each tool did, as well as allow for quick comparisons between the tools. The VM will include numerous open source security vulnerability detection tools they can use in the class, and if they have access to commercial vulnerability detection tools, they can use those as well.